Joel Gerard
Life is good
Elastic Load Balancer SSL Setup Guide – PEM encoded CSR
Jan 24th
This is a repost from http://cloudarch.co.uk/2011/10/elastic-load-balancer-ssl-setup-guide-pem-encoded-csr. That site is either gone or down. James posted the original and the credit goes to him.
Elastic Load Balancer SSL Setup Guide – PEM encoded CSR
Posted on by james
Amazon Elastic Load Balancers have the nice feature of being able to do SSL termination, but what does that mean? Usually when using SSL you have to configure each server to have your SSL certificate installed to provide HTTPS. Using Amazon ELB means that you only have to install you SSL certificate in one place and Amazon do everything for you. This also has the benefit of taking load off of your server by taking out the overhead of SSL encryption.
Setting up SSL on Amazon ELB is a bit different from configuring SSL in Apache and is a bit tricky, so I wanted to create a guide on how to do this. This guide is for when using GoDaddy as the SSL provider but this could by any SSL provider using a normal CSR process.
The reason why this is different from a normal CSR process is that Amazon require your keys to be PEM encoded instead of the normal format GoDaddy or other SSL providers generate.
I. Getting a GoDaddy SSL Certificate (Part I)
1. Purchase a GoDaddy Standard SSL Certificate
GoDaddy sells Standard SSL Certificates for anywhere from $12.99/year to $49.99/year. I highly recommend you do a search for ‘cheap ssl’ on Google and see if there are any advertisements for discounted GoDaddy Standard SSL Certificates. I was able to buy my certificate for $12.99/year this way.
2. After you complete your purchase, GoDaddy will give you a credit that you can trade for a certificate. Make the trade and click on ‘Manage Certificate’ next to your new certificate. This will bring you to a Credits control panel where we will click ‘Request Certificate’ next to your new certificate later on when we are ready to setup your certificate.
II. Creating a Certificate Signing Request (CSR)
Note: To create an SSL certificate, you must first generate and submit a Certificate Signing Request (CSR) to the Certification Authority (CA) (i.e. GoDaddy). The CSR contains your certificate-application information, including your public key. The CSR will also create your public/private key pair used for encrypting and decrypting secure transactions.
These instructions are based on generating the CSR on Ubuntu.
Steps to create a CSR:
1. Make a new directory to hold your project’s SSL-related stuff. It doesn’t really matter where you put this, but I recommend putting this somewhere safe and should not be in your web directory.
mkdir ssl-cert
2. Move to your newly created folder
cd ssl-cert
3. Use OpenSSL to generate an RSA host key (‘host.key’) using the triple DES encryption, with a 2,048-bit key length (as required by GoDaddy). Triple DES is just DES times three, but is more secure against brute force attacks because of its longer length.
openssl genrsa -des3 -out host.key 2048
It will ask you for a pass phrase. This should be a secret password. Don’t forget the pass phrase you set, as we will need it later.
4. Use OpenSSL to generate a new self-signed certificate (‘host.csr’) using the host key we just created. This is what you’ll be sending to GoDaddy to model your new SSL after.
openssl req -new -key host.key -out host.csr
You will be prompted with a bunch of questions. Answer all of them, except the last two ‘extra’ attributes are optional. Here are example responses:
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:Warwickshire
Locality Name (eg, city) []:Leamington Spa
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company Name
Organizational Unit Name (eg, section) []:secure.yourdomain.com
Common Name (eg, YOUR name) []:secure.yourdomain.com
Email Address []:contact@yourdomain.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
It is very important you don’t mistype anything here, as you can’t change this information without buying a new SSL certificate. ’Organizational Unit Name’ and ‘Common Name’ must be the hostname you are using for your domain.
III. Getting a GoDaddy’s SSL Certificate (Part II)
1. Return to where we left off with GoDaddy. You should have clicked ‘Request Certificate’ and see a form where you need to answer the following questions:
Where is your certificate going to be hosted? Third Party
Enter your Certificate Signing Request (CSR) below: [copy the text contents of 'host.csr' here]
Select your certificate issuing organization: GoDaddy
Is this certificate for Intel vPro? No
2. Verify everything and then click through to finish. You should now be able to view and download your GoDaddy SSL certificate from GoDaddy from the ‘Manage Certificates’ section.
IV. Prepare SSL Certificate for Heroku
1. Download your new SSL certificate from GoDaddy’s website into your ‘ssl-cert’ directory that we created in step I. You will get two files from GoDaddy: ‘secure.yourdomain.com.crt’ and ‘gd_bundle.crt’. ’secure.yourdomain.com.crt’ is your new SSL certificate. ’gd_bundle.crt’ contains the SSL issuing certificate chain back to the root SSL certificate.
2. Combine ‘secure.yourdomain.com.crt’ and ‘host.key’:
cat secure.yourdomain.com.crt host.key > host.pem
3. Remove pass phrase from the public key certificate (required by Amazon)
openssl rsa -in host.pem -out nopassphrase.pem
openssl x509 -in host.pem >>nopassphrase.pem
You will be asked for the pass phrase you set in step I.
4. Open ‘nopassphrase.pem’ in a text editor and delete the ‘private key’ section:
—–BEGIN RSA PRIVATE KEY—–
…
—–END RSA PRIVATE KEY—–
5. Combine ‘gd_bundle.crt’ and ‘nopassphrase.pem’:
cat nopassphrase.pem gd_bundle.crt > public.pem
‘gd_bundle.crt’ is a chain file that links your certificate to a original trusted host certificate that GoDaddy owns.
6. Remove pass phrase from the private key certificate (required by Amazon)
openssl rsa -in host.key -out private.key
You will be asked for the pass phrase you set in step I.
You might be asking yourself: What do all of these file extensions mean? Well, here you go:
*.csr — Certificate Signing Request used for submission to signing authorities that issue SSL certificates
*.crt — Public key of a certificate (same as a *.pem file, but with different extension). May include a chain of certificates back to the host certificate. This is what you’ll get from GoDaddy when you download a purchased certificate.
*.pem — Public key of a certificate (same as a *.crt file, but with different extension). May include a chain of certificates back to the host certificate. This is what you’ll get from GoDaddy when you download a purchased certificate.
*.key — Private key of a certificate
V. Configure on Amazon ELB
You are now ok to to take the key files you have just generated and copy and paste them onto your Elastic Load Balancer configuration. When applying SSL you need to create a new ELB. When setting up the load you can make your server config easy by passing the HTTPS traffic from the ELB to port 80 on your server.
Thats it, you now have HTTPS/SSL on your site.
Parsing Query Strings in Java and accessing values by key
Sep 14th
First, you require http://hc.apache.org/, specifically httpclient-4.1.3.jar and httpcore-4.1.3.jar. Then two classes:
NameValuePairComparator.java
import java.util.Comparator;
import org.apache.http.NameValuePair;
public class NameValuePairComparator implements Comparator
{
@Override
public int compare(NameValuePair arg0, NameValuePair arg1)
{
return arg0.getName().compareTo(arg1.getName());
}
}
QueryParamList.java
import java.util.Collections;
import java.util.Comparator;
import java.util.List;
import org.apache.http.NameValuePair;
import org.apache.http.message.BasicNameValuePair;
public class QueryParamList
{
private List params;
private boolean sorted = false;
NameValuePairComparator comparator = new NameValuePairComparator();
public QueryParamList(List params)
{
setParams(params);
}
protected void sort()
{
Collections.sort(params,comparator);
sorted=true;
}
@SuppressWarnings({ "unchecked", "rawtypes" })
public String get(String key)
{
if (!sorted)
{
sort();
}
int index = Collections.binarySearch((List<NameValuePair>) getParams(), (Object) new BasicNameValuePair(key,null) , (Comparator) comparator);
if (index <= 0)
{
return params.get(index).getValue();
}
else
{
return null;
}
}
public List getParams()
{
return params;
}
public void setParams(List params)
{
this.params = params;
}
}
Example:
URI uri = new URI("http://go.com?a=1");
QueryParamList params = new QueryParamList(URLEncodedUtils.parse(uri, "UTF-8"));
String a = params.get("a");
Neon Canyon & The Golden Cathedral
Apr 14th
I guess it must be me, but I can never understand why people fly to the South West and just hit up Vegas. It’s glitzy, I’ll give you that, but a mere 300 miles to the North-East, in Utah, is a small town called Escalante. It sometimes has a shortage of fresh fruit and veg, but the people are awesome friendly, and the town itself sits on the edge of the Escalante Grand Staircase (note: not an actual staircase but 1.9 million acres of protected land). At any rate, we passed through there in 2010, and discovered one of the highlights of our trip, Neon Canyon. A short trip to the BLM Office in Escalante will get you directions. You find your own way across the desert, drop down into a canyon cut by a river, and after a while you’ll hit Neon Canyon, a side canyon. Probably one of the most amazing hikes of my life. Trust me, forget about Vegas. See this place instead.
Just a few notes though:
- Take plenty of water (obviously)
- Consider long pants. You have to navigate down the river for a while, and the horse flies are vicious. They’re like aliens running around in the space ship air ducts, busting through the walls, and eating the crew alive – vicious. They’re not in the canyon though.
- I did it in my shoes. Man, I wish I had done it in my sandals.
- We had a GPS as a safe guard to our map navigation skills.
The Golden Cathedral @ the end of Neon Canyon, Utah
Map
MySQL Access Denied on OSX 10.6.6
Mar 18th
Man, this drove me nuts. I have a native setup of MySQL and PHP. I followed the detailed steps defined by Jerome here, but I kept getting:
Access denied for user 'root'@'localhost' (using password: YES)
So I could connect, but access was denied, and I was positive, 100% sure that the password was correct. So I tried creating another user. The code was pretty simple
<?php
error_reporting(E_ALL);
mysql_connect('localhost', 'jgerard', 'password') or die(mysql_error());
echo 'No errors';
?>
I checked everything, and it was good. Then I tried not using localhost, or 127.0.0.1 and everything passed. No problem. The problem was using the wildcard in the mysql account setup. So this does **not** work:
But this does:
So basically, make sure you list localhost specifically for the user, and you’re set. Otherwise, you have to use the external IP address of the machine, and not the loopback.
#1 Reason we weren’t allowed into the Hilton?
Jan 19th
The next day we parked in the Bellevue Hilton’s forecourt. Perhaps not surprisingly, there were no rooms. Personally, I think the it was the ply-wood with too much camping gear strapped to it. ;)
